What is an
@aptos
keyless account? 🧵
It's a blockchain account derived from (say) your Google account and an application (wallet, dapp, etc).
It's bound not just to you (e.g., you
@gmail
.com) but also to the application (e.g.,
@PetraWallet
, or
@ThalaLabs
, or
@VibrantXFinance
)
🧵 What is a zero-knowledge proof [system]?
It's the *sane* way of proving a statement is true.
For example, say I want to convince you I can solve a Sudoku puzzle *x*.
Why should I have to give you the solution *w* to the puzzle? You did not ask me for the solution, did you?
Did you ever hear about these fancy-shmancy elliptic curves with “pairings” or “bilinear maps”? Did you know *S*NARKs would not be possible without them? Or that jail time can be conducive to great mathematical results?
If so, this blog post is for you:
Want to write or play randomized games on
@Aptos_Network
in Move? 🎮
We are looking for feedback on our on-chain, distributed randomness API in Move 🎲!
See Aptos Improvement Proposal (AIP) 41 here:
A very short (1/4) thread 🧵below...
A question about
@sama
's
@worldcoin
: What happens when I lose my SK after registering with my iris? Or when my SK is stolen.
Currently, nothing, it seems. I'm done. I can't recover my account (see ).
Disturbing, but potentially fixable (1/n) 🧵
If you ride motorcycles and do other fun things like commit to polynomials, Verkleize your trees, aggregate signatures or proofs, make HVZK interactive protocols non-interactive and/or write Rust code, then apply to
@AptosLabs
and we'll take you for a ride! (
@rgelash
@sherry_xzy
)
🧵
@AptosLabs
taught me the challenges of going from _idea_, to academic paper, to production-ready implementation and, finally, to deployment!
🎲 A perfect example is our *instant* on-chain randomness in Move, or
@aptos
Roll:
Let's look at the idea💡!
At
@AptosLabs
, researchers works closely with engineers to solve tomorrow's problems ().
Ask
@PetraWallet
's
@drewhariri
, who just learned what a pairing-friendly group is, how BLS signatures work and how they give threshold OPRFs ()
🥳🎉🍾 Aptos Keyless accounts!
1. No more mnemonics, no more lost keys!
2. Sign your
@Aptos
transactions with your existing Google account!
3. Sign in into a dapp without a wallet!
4. Protect your Aptos Keyless session using Face ID on Apple devices!
5. Privacy
The Aptos ZK ceremony was just the beginning! 🔥🛠️ Developers can keep up the momentum by checking out our Aptos Keyless SDK, now open for early testing and feedback on
@Aptos
Devnet.
Aptos Labs needs world-class builders on Aptos to put our research and tech to the test! 💪
Want to build powerful *cryptographic* dApps?
Check out
@Aptos_Network
's cryptographic APIs in Move!
Whether you want to veil your coins, harness off-chain public randomness, or verify a Groth16 ZKP over *any* curve, we've got you covered! 🧵
Want to write or play randomized games on
@Aptos_Network
in Move? 🎮
We are looking for feedback on our on-chain, distributed randomness API in Move 🎲!
See Aptos Improvement Proposal (AIP) 41 here:
A very short (1/4) thread 🧵below...
Like I said before, mnemonics suck!
So I contributed to the ZK ceremony for
@Aptos_Network
's OpenID-based blockchain accounts
Your blockchain account = your Google account!
Check out the 🌶️ details in AIP-61:
(My contribution )
Lately, I find myself explaining the difference between threshold signatures, multisignatures and aggregate signatures quite frequently, so here are some slides on the topic (subject to change, as all things should be), should you find them helpful:
Today I learned a(nother) cool way to prove an inner-product from
@sourav1547
et al's paper () that leverages the univariate sumcheck protocol from Aurora ().
Sweet thread on how
@Aptos
keyless accounts leverage the OpenID Connect (OIDC) protocol to authorize transactions.
This includes reaching consensus on the PKs of the OIDC providers, which was efficiently implemented and described in AIP-67 by
@zjma2022
!
1/ The team at
@AptosLabs
is actively working on developing Keyless accounts for
@Aptos
, investing significant effort into this revolutionary project🌠
As announced in AIP-61, the Consensus on JSON Web Keys is presented in a separate AIP-67 proposal.
Details in the thread👇
Lots of people like to sort the leaves of their Merkle tree as a way to prove *non*-membership.
In this blog post, I give 3 reasons why this is sub-optimal and try to convince you to almost always use a Merkle tr*i*e (prefix tree):
🧵 How do we provide instant on-chain randomness on
@Aptos_Network
?
One key ingredient is a fast Lagrange interpolation algorithm from our 2020 work (& my PhD thesis) with
@bennypinkas
,
@ittaia
et al ()
So, if you're doing threshold BLS, read below...👇
Check out my
#zkSummit11
talk on
@Aptos
keyless accounts:
The slides are available here:
Oh, that's me 🏍️'ing from CA to TX to catch the total solar eclipse 🌞 (and my flight to Athens, Greece for
#zkSummit
)
On-disk Merkle trees for state management are a bit slow. Here are some research directions to ameliorate this: Would love to get your thoughts on this!
1/ “If you thought before that science is certain, well, that’s just an error on your part.” –
@ProfFeynman
.
A thread 🧵 and blogpost ✍️ below, to remind us that science is a process, not a truth ().
Mnemonics suck.
Thanks to
@drewhariri
's amazing work, auto-backed-up passkeys allow users to create an
@Aptos_Network
account without writing down a mnemonic!
Nor do they expose the underlying secret key, which will make it harder for users to shoot themselves in the foot.
How can you check concatenation efficiently within an arithmetic circuit? Consider: In R1CS, you cannot simply
"assign" variables - for a string S, taking its slice S[:i] is either incredibly expensive, or incredibly complicated. 1/n
I can't watch this 🫣, but I hope you do! 😄
In the podcast, I cover
@aptos
on-chain randomness () and keyless accounts ().
Oh, and there's a lot of talk about peppers, for some reason? 🌶️
cc
@perryjrandall
and
@aptoskent
Cutting edge crypto: PROD vs Sci-Fi
0.7x speed w/ frequent rewinds was the only way for this
@zeroknowledgefm
episode with
@alinush407
.
👊 to
@AptosLabs
for leading the charge on bringing the newest crypto research to users rather than just papers!
Yet Worldcoin clearly learns the biometric-PK association during user registration and could maliciously record it privately.
So not much would be lost in terms of privacy by exploiting this association to handle key revocation and enable account recovery.
Indeed,
@Aptos_Network
will soon enable support for *keyless* accounts!
Your
@Aptos_Network
blockchain account = Your OpenID account (e.g., Google, Facebook, Apple, etc.)!
Inexperienced users will no longer lose their secret key because they won't have one to begin with!
👇👇
OpenID Blockchain accounts implementation will be a step forward in enhancing user-friendliness, security, and efficiency.
Excited to share that as a representative of
@everstake_pool
, I joined the
@Aptos_Network
ZK Setup Ceremony.
Check out the 🧵for more explanations.
The devil, of course, is in the details.
And the details, unfortunately, are rather sparse in Worldcoin's technical description from .
Hopefully, this will improve over time!
1/ Today, we announced our $150M Series A funding round. This is a testament to our team's technical expertise, the strength & activity of our ecosystem and the vision & ethos we all share.
@MoveBuilders
@Aptos_Network
@0xsrmist
2/ Do you want to know more about a distributed randomness API in
#Move
?
@alinush407
did us a favor by explaining what it is and invited us to join the AIP-41 - Move APIs for randomness generation discussion:
New work on scaling BLS threshold sigs (and other threshold cryptosystems), including its DKG protocol, by precomputing proofs fast in KZG polynomial commitments w/
@ittaia
and
@bennypinkas
:
Tomorrow (Tuesday), IIRC, I will be talking about our work on UTT: Sensibly-anonymous decentralized payments without zkSNARKs ().
Today is for flying across the Atlantic ocean 😅.
@AptosLabs
@Aptos
5/ Keyless accounts
Say goodbye to cumbersome secret keys as users will have the option to link their blockchain accounts directly to existing OIDC accounts (such as Google)
Some details were previously highlighted here👇
@chelseakomlo
At
@Aptos_Network
, for our PoS distributed randomness, we are using groups of ~1000 and thresholds of 666, leveraging my PhD thesis work ().
Large thresholds can be a cheap price one pays for doing threshold crypto in the PoS setting!
@realjcz
This is already happening to some extent: on
@Aptos_Network
, we leverage the OpenID Connect (OIDC) protocol to create "keyless" blockchain accounts backed by a Web 2 account: e.g., your blockchain account = your Google account or your Facebook account
See
Continuing the tweet hurricane 🌀 on the challenges of taking
@aptos
on-chain randomness from idea ✅ , to *academic paper* 📜, to production-ready implementation and, finally, to deployment ().
Let's look at *the paper* part of the journey! 🛣️ 🏍️
🧵
@AptosLabs
taught me the challenges of going from _idea_, to academic paper, to production-ready implementation and, finally, to deployment!
🎲 A perfect example is our *instant* on-chain randomness in Move, or
@aptos
Roll:
Let's look at the idea💡!
RaNd0Mly hack on your
@Aptos_Network
randapps!
See our developer-friendly API here () and how you can use it to build a raffle () or a lottery ().
On-chain, unpredictable, unbiasable, *instant* randomness! 🎲
In the world of blockchain technology, where predictability rules, Aptos Foundation invites you to the first-ever online Aptos RaNd0M Hack. It's time to...
Roll the dice 🎲
Spin the wheel 🌀
...and embrace the unexpected with tamper-proof randomness with Aptos' on-chain
@SashaSpiegelman
@jacopo851
@dubbel06
@0xMert_
@XiangZhuolun
@jacopo851
, from Algorand's design (), their beacon is *external* and thus much trickier to use securely & swiftly (delivers once every 8 rounds).
Our APIs are as secure as our PoS blockchain & return randomness instantly to the caller (see screenshots).
Join us tomorrow for the first Vector Commitment day, organized by
@13portocale
and
@rgennaro67
(). I'll be speaking about how to go beyond Merkle trees using lattices, polynomial commitments and other fantastic beasts!
@VitalikButerin
How will Verkle trees affect state synchronization between nodes who are too far behind and up-to-date nodes?
The up-to-date nodes will have to spend time computing expensive Verkle proofs for the up-to-date state they send over, no?
Delighted to speak to you about ZK ar
@Aptos
and ZK in general
@edfrost_ur
! 🙏
Time flies so fast when you’re talking about things you love ❤️
Should’ve done 2 hours!
I was delighted to welcome
@alinush407
on the latest episode of Absolutely Zero Knowledge.
Watch as Alin unpacks the ZK use cases at
@AptosLabs
.
I've loved sharing my conversations with the ZK community... and all episodes will soon be on Spotify! 👀
We support (1) verifying BLS signatures, multisigs, and aggregate sigs on top of BLS12-381 curves (using proofs-of-possession to prevent rogue-key attacks)
Today I (almost fully) read: "Linear-map Vector Commitments and their Practical Applications" by Matteo Campanelli,
@13portocale
,
@CarlaRafols
, Alexandros Zacharakis and
@arantxazapico
()
Huge shout out to
@AnnaRRose
for creating the ZK podcast
@zeroknowledgefm
and building an amazing community around it! 🙏
Honored to be a part of it again. Previously, I mused about stateless validation:
Also, big thank you to
@nico_mnbl
for co-hosting!
I can't watch this 🫣, but I hope you do! 😄
In the podcast, I cover
@aptos
on-chain randomness () and keyless accounts ().
Oh, and there's a lot of talk about peppers, for some reason? 🌶️
cc
@perryjrandall
and
@aptoskent
Check out our new technique for computing all N proofs fast in the Pointproofs VC by Gorbunov et al. (
@sergey_nog
) () with a quick implementation here ()!
Check out
@bennypinkas
’s thread on our weighted DKG and weighted VRF constructions, the cryptography that powers
@Aptos_Network
’s *instant* on-chain randomness!
Exited to share our paper on a new simple and efficient way to design Verifiable Secret Sharing schemes in both synchrony and asynchrony with support for dual-thresholds
Joint work with
@XiangZhuolun
@alinush407
@SashaSpiegelman
@bennypinkas
and Ling!
There are 2 account models in DEFY.
1) The Aptos Keyless Accounts.
New accounts in Defy are generated using the Aptos Keyless Infrastructure which eradicate the usage of public/private keys.
Your google account = Your blockchain account.
If you want to read about the coolest signature scheme and its application, this blog post is for you!
Pointcheval & Sanders (PS) signatures can be computed directly over Pedersen commitments, are re-randomizable (together with the commitment) and are easily thresholdizable.
Check out
@Aptos
’s ZK circuit that powers Aptos keyless accounts, built by
@mstrakastrak
:
Very excited to share this with our ecosystem and the broader Web3 ecosystem!
We build in the open & we hope you do too! Surprise us with what you build!
Check out our new work with
@superaluex
and Zack Newman (MIT) on authenticated dictionaries with cross-incremental proof (dis)aggregation from hidden-order groups, with application to stateless validation and transparency logging:
Want to securely & efficiently bootstrap a threshold BLS signature scheme? Check out our new work w/
@ittaia
and
@bennypinkas
on scalable distributed key generation protocols + bonus scalable verifiable secret sharing + bonus new vector commitment scheme:
Tomorrow at 9:10am PDT at
@IEEESSP
I'll present a few steps "Towards Scalable Threshold Cryptosystems", with Robert Chen, Yiming Zheng,
@ittaia
,
@bennypinkas
, Guy Golan Gueta and Srinivas Devadas. Check out our blogpost(s) for the nitty gritty details:
If you’re trying to understand what a
#zeroknowledge
proof is, without understanding what an (NP) relation or language is, you won’t get very far.
This short-and-sweet article by
@nico_mnbl
will get you there:
Cryptography is all about hardness assumptions: a problem is hard implies a cryptosystem is secure. What kind of assumptions do you like to use? In this post, I talk about a few RSA assumptions and how they relate to one another: . Feedback is appreciated!
6/ Let's remember what science is: a process, a tool, a community. Fallible-but-redemptive. (Typically) falsifiable. Not a religion.
If rhymes help you,
Here's a few:
Science is not "true".
Science is what you *do*,
When you search for what is true.
...we also support (2) verifying Ed25519 signatures, (3) verifying ECDSA signatures with public key recovery and (4) cryptographic hashing via SHA2 and SHA3.
If you're new to the crypto(currency) world, you've probably often wondered "What is a Merkle tree?" We give a simple, illustrated answer in our blog post below, together with (what might be) an approachable security proof:
tl;dr: Your email account = your blockchain account
If you have ideas on bootstrapping Web3 blockchain accounts from existing Web2 accounts (e.g., Gmail, Twitter, GitHub, etc) *without* relying on extra trusted 3rd parties, take a look at
@_weidai
's thread below 🧵👇.
1/ Something that I'm excited about but have yet to see a team full-speed building on: web2 login account-abstraction wallets via zkSNARKs.
There are projects building this with MPC / TEEs, but I've yet to see one going full speed on this with ZK.
No PhDs are needed! 😄
These days, the cryptocurrency space *itself* is more than enough proof that cutting-edge cryptography work can be done by anyone: high school students, college dropouts, or undergraduates.
Amazing work all over the place! 🪄
This thread dives us into
@Aptos
Magic 🪄🌐
While challenging for those without a PhD or enough education, each try unveils deeper knowledge.
Investing time to enhance tech knowledge is worth it!
@alinush407
provides a window into deeper understanding!
Cryptic thought of the day: A Chaum-Pedersen signature under PK g^s is just H(m)^s but, unlike a BLS signature, uses a Discrete Log Equality (DLEQ) proof for verification (instead of a pairing). Question: Is this what you would cite as an academic reference for DLEQ proofs?
Indeed, open sourcing ZK circuits is a must for two reasons:
1. It lets the community audit & improve our work
2. It allows for permissionless innovation
Web3 is open and for everyone. As innovations such as Aptos Keyless & passkeys help onboard 5 billion Internet users to web3, what better way to celebrate than to open-source the zero-knowledge circuit?
Looking forward to talk at the ETAPS '24 Industry Day about Securing the Aptos Framework through Formal Verification. ETAPS is a premier research venue and the research paper about the Move Prover was published at the '22 event.
They must be so happy to hear we use non-malleable Groth16 zkSNARK for keyless accounts, right?
Or because of the constant-sized shares in our weighted verifiable unpredictable function, used in randomness?
Or due the optimized low-degree testing in our PVSS?
I’ll stop… 😂
EdDSA and/or Schnorr over Ristretto need to become more popular (and hopefully standardized): they implicitly avoid inconsistencies between individual signature verification and batch verification, preclude any small subgroup attacks and are just as fast, AFAICT.
Today's lesson on Move:
Ever wonder why functions are private or public? Let's go over the reasons you'll want to make them one way or another with a little chance game I like to call:
Dice roll
#DailyMove
Check out the *updated* Edrax paper by
@chepurnoy
,
@chbpap
and
@YupengZhang7
on stateless cryptocurrencies from vector commitments (VCs). It uses multivariate polynomial commitments and SNARKs to obtain a VC with constant-sized proofs:
(3/4) Join the current discussion on how to refine this API here:
e.g., perhaps `generate` should not be seeded at all & instead return a different piece of randomness every time it is called, making `amplify` obsolete.
Systems that uses the complaint based sync Verifiable Secret Sharing for Distributed Key Generation, please check our VSS paper ! We describe a simple VSS that needs only one broadcast in the worst case.
@arpaofficial
@SkaleNetwork
We knew that an adversary who can compute DLs can break CDH.
This paper shows, surprisingly, that the opposite also holds on many SoTA elliptic curves (i.e., DL and CDH are equivalent assumptions).
The last sentence in the abstract lacks context & should probably be ignored.
@cusma_b
@ittaia
@VitalikButerin
@drakefjustin
@dankrad
@Khovr
@Algorand
Indeed, Pointproofs are very cool! We relate to them in Sec 1.2. Real quickly though: (1) we precompute *all* proofs in quasilinear time (2) our proof updates have O(1)-sized update keys (3) our verification key is O(1)-sized and (4) our API accounts for (verifiable) update keys
Thank you
@AnnaRRose
and
@fredhrson
for having me and for digging deep with your questions! This was my first very first podcast and I had lots of fun!
🔊 This week,
@AnnaRRose
and
@fredhrson
chat with
@alinush407
a post-doc researcher at
@vmwareresearch
, about the concept of stateless systems. Specifically, they explore his work on stateless validation, why this would be desirable!
5/b The "scientific" facts! (No stronger than just "facts.")
The "scientific" evidence! (No stronger than just "evidence.")
The “scientific” truth! (No stronger than just "truth.")
@samlafer
@0xMert_
@b1ackd0g
Glad you liked the blog! :) Most of my writing is now focused on Aptos cryptography features:
Distributed randomness:
zkID:
Cryptography in Move:
Didn’t write *any* Narwhal implementation though! 🧐
Today, I am thankful for Catalano-Fiore (
@dariofiore0
) vector commitments (CF VCs), which we recently used to build authenticated dictionaries (ADs)! So check out our new blogpost on CF VCs () and the ADs we built from them ()!
We suspected that PVSS-based aggregatable DKGs would be the cleanest to implement in the
@aptos
BFT protocol & should be efficient too.
The state-of-the-art was our EUROCRYPT'21 paper with
@kobigurk
,
@Daeinar
, Mary Maller, Sarah Meiklejohn &
@Giladstern_
:
In 2023, we realized a large class of Move dapps need access to *instant* randomness 🎲.
e.g., a simple call to, say, `randomness::u8_integer()` should *instantly* return a random byte to the caller.
DevX is very important to us, so the *instant* part was 🔑.
This is built atop solid cryptographic and consensus foundations. It feels great to work on something that is getting deployed in the real world. Thanks
@Aptos_Network
for the amazing opportunity!
Stay tuned for the technical paper...
@bennypinkas
will be speaking about our new aggregatable publicly-verifiable secret sharing (PVSS) and verifiable unweighted functions (VUFs) constructions in the proof-of-stake (weighted) setting.
These schemes make *instant* on-chain randomness possible on
@Aptos
!
I’m excited to announce I’ll be speaking at this coming Friday, 15 March, during Eth London. This conference delves into the intersection of Web3 and cryptography, discussing areas like ZK, MPC and FHE. You can register at this link. Hope to see you there!
Perhaps Ludacris was misunderstood:
That by singing “Move b****, get out the way”, he was rejoicing about the Move language, and how it gets out of memory key resources via a type safe borrow checker
How else could he do 100 on the (information super)highway?
#WordOfMouf